Login.gov provides a secure, shared sign-in service for government agencies. Users create one account — with an email address, password, and multi-factor authentication (MFA) — to access participating government websites. This article covers how authentication works, available MFA methods, session behavior, and key configuration options for partner agencies.
Multi-Factor Authentication (MFA) Methods
All Login.gov users must set up at least one MFA method after creating a password. Supported methods include:
- Phone (SMS or voice call): Receive a one-time code via text message or phone call
- Authentication application: Generate security codes using a supported authenticator app
- Face or touch unlock: Use your device’s built-in biometric hardware (e.g., Face ID, Touch ID, fingerprint reader) or PIN to set up a passkey — see our [Face or Touch Unlock guide] for details
- PIV/CAC card: Government employee and contractor ID cards
- Security key: A physical FIDO2-certified key
- Backup codes: A pre-generated list of one-time codes — accessible for users without a phone
For the most current information on MFA options, see Authentication Methods on the Login.gov help center.
MFA Reset
Login.gov does not provide partners the ability to reset or remove MFA options from user accounts. If a user suspects fraud, they can delete their account (which removes all associated MFA). If a partner suspects fraud, they can request the Login.gov Fraud team investigate the account.
Password Requirements
Login.gov enforces the following password policies, aligned with NIST 800-63B guidelines:
- Minimum length of 12 characters
- Screening against common or compromised passwords, including those with repeating letters, popular words, or passwords found in security breaches
- A password strength meter aligned with NIST guidelines
Session Management
Session Timeout
A user’s Login.gov session lasts for 15 minutes following their last activity. After this period, the user must re-enter their email, password, and MFA to sign in again. This timeout is consistent regardless of whether the user is accessing applications within the same agency or across different agencies.
This 15-minute timeout applies only to the Login.gov session. Partner applications manage their own session timeouts independently.
“Remember This Device”
After entering their email and password, users may check a “Remember this device” checkbox. This prevents the user from needing to re-enter MFA on their next sign-in (up to 30 days on the same device), with important exceptions:
- AAL2 applications: Partners configured for AAL2 authentication (or implied AAL2 such as IAL2) are excluded from this feature. Users will always need to complete MFA for these applications.
- Identity verification applications: If your application’s Level of Service in the Partner Portal is set to “Identity verification permitted,” MFA will always be required even if an AAL1 value is specified – whether in the portal or in the authentication request.
- Session lifetime: “Remember this device” does not extend the 15-minute session timeout. Users still need to re-enter their email and password after inactivity.
Single Sign-On Behavior
If a user signs in to Login.gov and then accesses a different application (same agency or different) within the 15-minute session window, their credentials are remembered and they do not need to re-enter email, password, or MFA.
MFA in the Sandbox Environment
MFA cannot be bypassed or disabled in the sandbox. MFA is an integral part of the Login.gov authentication process and must remain in place in the sandbox to mirror the production experience. If MFA were bypassed, partners would not be able to properly test AAL configurations and step-up flows.
For faster testing, Login.gov recommends:
- Automated tests: Set up an authentication application as the MFA method and use a development tool that can generate time-based one-time passwords (TOTPs) in your automation scripts.
- Manual testing at AAL1: Use the “Remember this device” feature to bypass MFA for 30 days on the same device (only works if your app does not require AAL2 or identity verification).
- PIV/CAC shortcut: If testers have a PIV/CAC card, they can add it as an MFA option on their sandbox Login.gov account, and use the “Sign in with your government employee ID” link for quick sign-in.
- Password manager: Use a password manager that supports TOTP generation with a browser extension to auto-fill email, password, and one-time code.
- Face or touch unlock: Set it up as an MFA option and use it in combination with a password manager for the fastest manual sign-in.
Third-Party Authentication Tools
Login.gov’s Rules of Use require users to keep personal and login information confidential, but do not expressly prohibit the use of third-party tools that a user delegates sign-in tasks to. If a third party accesses an account without user consent, that would be a violation.
If you believe a system has been compromised, please contact us at partners@login.gov
CJIS and Pub 1075 Compliance
Login.gov follows NIST 800-63B password guidelines